Attackers Target Medical Research Staff with Credential Phishing Attacks
A new Proofpoint report shows a nation-state hacking group with ties to Iran is targeting senior medical research personnel in the US and Israel with credential phishing attacks.
By - Senior medical research personnel in the US and Israel are being targeted by a credential phishing campaign launched by a nation-state hacking group with ties to Iran, according to a new Proofpoint report.
Proofpoint observed the hacking group known as TA453 targeting about 25 senior professionals at a range of medical research organizations in the US and Israel. The targeted workforce members were extremely senior personnel with backgrounds in either genetics, oncology, or neurology.
The group is also targeting Israel organizations and individuals, which followed the increased geopolitical tensions between Israel and Iran in 2020.
TA453, is an Iranian-nexus threat actor that is also known as CHARMING KITTEN and PHOSPHORUS. The actors have been tied to the Islamic Revolutionary Guard Corps (IRGC), which historically prioritizes collection and targets dissidents, academics, and the like.
As such, the latest campaign, BadBlood, deviates from the group’s normal targeting activity. Proofpoint noted the campaign’s name is based on its medical focus and the continued geopolitical tensions between Iran and Israel.
While the report could not conclusively determine the actors’ motivation, the campaign appears to demonstrate an intelligence-gathering focus on collaborative medical research that is often informally conducted via email.
“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be the result of a specific short term intelligence collection requirement,” researchers explained. “BadBlood is aligned with an escalating trend of medical research being increasingly targeted by threat actors.”
“Alternatively, this campaign may demonstrate an interest in the patient information of the targeted medical personnel or an aim to use the recipients' accounts in further phishing campaigns,” they added.
Launched in December 2020, Proofpoint observed the hacking group using an actor-controlled Gmail account disguised as a leading Israeli physicist. The messages used the subject “Nuclear Weapons at a Glance,” while the body leveraged social engineering lures to entice the user to engage.
The phishing emails contained links to a domain controlled by the attackers that directed the user to a landing page spoofing Microsoft OneDrive, complete with a PDF logo. If a user attempts to view and download the PDF file, it delivers a forged Microsoft login page aimed at harvesting login credentials.
Further, attempts to engage with other webpage hyperlinks will bring the user to the same forged Microsoft login page. There’s also a fake sign up link that directs the user to create an account that attempts to dupe the user into providing personal information.
Proofpoint researchers could not definitively determine the goal of the campaign but noted that the group's previous attack methods focused on harvesting credentials to exfiltrate email inbox contents or compromising accounts for further phishing attacks.
The investigation into the campaign also led to the identification of other domains attributed to TA453 with high confidence.
“Telemetry indicated additional actor-controlled domains were used in TA453 campaigns attempted to compromise more traditional TA453 targets with a similar attack chain in late December 2020,” researchers explained.
“The provided lure documents at the end of the attack chain share similar, national security themes, including Congressional Research Reports, think tank publications, and other policy minded documents,” they added.
Again, the researchers could not conclusively correlate all of the detected domains with phishing campaigns but the activity was consistent with the BadBlood campaign. They also couldn’t independently attribute TA453 to the IGRC.
Overall, the campaign aligns with further phishing campaigns targeting medical research and other healthcare entities working on the COVID-19 response for espionage purposes. Proofpoint also noted that TA453’s targeting of the sector may be temporary.
Throughout each stage of the pandemic response, threat actors have shifted tactics to prey on human nature for financial gain. Nation-state hackers, in particular, have launched multiple supply-chain attacks on Microsoft, Accellion, and SolarWinds, which marks a decidedly severe shift in tactics.
Similar actors have also successfully targeted unpatched legacy Microsoft platforms to gain access to networks.
Given the heightened targeting, healthcare entities should review spear-phishing guidance and review threats with employees to defend against these types of attacks.
